9. Data Protection Act
Guidance for driving examiners on the Data Protection Act.
The implications of breaching the Data Protection Act are serious. Individuals are responsible personally for information they give out and are liable to be prosecuted if they are found to have disclosed information inappropriately. Legislation does not hold the agency responsible under these circumstances.
DVSA have made great efforts over the last decade to allow examiners to conduct tests in a more customer-friendly manner and the Data Protection Act must not be used as an excuse to return to a less customer-focused approach. Information is still freely available through the correct channels to the correct people.
At the start of the test, the examiners must ask the candidate whether they want their instructor/accompanying driver present on the test and for the result and feedback at the end of the test.
For digital tests, the candidate must confirm whether they want their end of test summary to be sent via email to the email address provided during booking, an alternative email address, or by post.
(If the test was not accompanied and the instructor/accompanying driver comes over to the vehicle to listen to the conclusion of the test, the examiner should confirm with the candidate they want their instructor/accompanying driver present)
If the candidate elects not to have their instructor/accompanying driver present for the decision and de-brief, then the examiner should ensure that the candidate’s request is complied with.
Any subsequent enquiries made by the instructor about their pupil’s performance, must be referred back to the candidate in all cases. Examiners must not discuss previous tests with instructors.
In the event of a complaint being received, examiners must not assume that instructors are aware of the candidate’s complaint - merely telling an instructor that a candidate has complained is a breach of the Data Protection Act. Examiners must not bring to the attention of, or discuss with instructors, customer complaints.
No information regarding driving test performance may be discussed (with a third party). All requests should be referred to the HEO, SEO, or Customer Service Centre to answer.
If a candidate writes requesting information about their particular test, DVSA must supply that information. Forward all written requests to the HEO, SEO, and area customer service unit to answer.
An information security incident is any actual or potential compromise of DVSA’s information.
An information security incident is any actual or potential compromise of DVSA’s data, systems, or activities.
Examples are varied and include:
- physical security of DVSA sites, for example faulty CCTV or broken windows
- unauthorised disclosure of personal or sensitive information, for example being sent to the wrong recipient
- lost or stolen information or equipment
- information kept longer than necessary
- breaches of information management and security policies or legislation, such as the Data Protection Act
Reporting procedure
You must report security incidents to the Information Management, Security and Data (IMS and D) team immediately.
You can do this by completing the reporting form and emailing it to information.handling@dvsa.gov.uk.
You must report security incidents immediately.
Investigation
The IMS and D team will then:
S1. See whether a genuine incident has occurred.
S2. Analyse the incident to understand what has happened and why.
S3. Contain the incident.
S4. Identify improvements that can be put in place to reduce the risk of it happening again.
The DVSA does not charge for supplying written information. Test results are emailed directly to candidates after the test, using the email address provided in their booking record.
If a candidate requests to see all information held about them within the agency, they should contact dataprotection@dvsa.gov.uk. If a third party writes on the candidate’s behalf, the DVSA cannot process the enquiry or complaint without the candidate’s written permission.